wagoodman
commented
2 years ago The podman daemon has API compatibility with docker. The way we access podman is with our existing docker daemon API implementation in the underlying library, https://github.com/anchore/stereoscope. It's unclear what the next step is to access the underlying container storage without needing to pull in https://github.com/containers/storage et. al. which we've looking into doing in the past and deferred until the dependencies could be better controlled (I also think there was a CGO limitation at the time, not certain if that is still a limitation).
The way dive is doing this is less ideal: https://github.com/wagoodman/dive/blob/64880972b0726ec2ff2b005b0cc97801067c1bb5/dive/image/podman/cli.go since there is a shell out that must be done and an implicit dependency on the podman CLI being installed. We try not to do this in syft since it is a static analysis tool (never execute anything if at all possible).
What would you like to be added: I could be nice if podman:yourrepo/yourimage:tag work with a non-daemonic usage of podman.
Why is this needed: In CICD with rootless setup of buildah/podman there no daemon running. To make an analysis we have to push first to the docker registry and use registry:yourrepo/yourimage:tag I could be a waste of time and resources (especially in case how we make an syft + grype and it's useless to push a vulnerable image into the registry).
Additional context:
I don't know if it could help but it's ok with dive : https://github.com/wagoodman/dive